Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Windows cannot find iexplore.exe"


  • Please log in to reply
14 replies to this topic

#1 Adrick

Adrick

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 17 February 2009 - 11:13 AM

I read the preparation guide: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
1. So, I have a backup.
2. I ran through the "Slow Computer" Guide:
-ran Disk Cleanup
-ran CHKDSK
-ran a windows defrag
-ran IObit smart defrag
-ran PageDefrag
-tried to eliminate superfluous processes/services/apps loading at startup
-Disabled indexing
-Disabled ctfmon.exe (hopefully)
-Removed Avira in favor of CA Internet Security (I believe Avira is the better of the two but I HATE nag screens and I'm poor.)
-Created New Restore Point.
(I never expected any of this to fix my problem but why pass up free advice to speed up my PC?)

3. & 4. have little to do with my issue
5. Activated windows firewall (non-configured, just turned the sucker on)
6. Ran DDS

Other steps I have taken is running virus scans and spyware scans, other than that i've done almost nothing.
I'm including two small screen shots. The first is of the error and the second is of iexplore.exe, I will also transcribe the error message.

Posted Image
Windows cannot find 'C:\Program Files\Internet Explorer\iexplore.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Posted Image
Thar' she blows!

Edited by Adrick, 17 February 2009 - 11:13 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 17 February 2009 - 03:09 PM

Are there any other signs that might indicate your computer is infected with malware?
Chewy

No. Try not. Do... or do not. There is no try.

#3 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 17 February 2009 - 11:33 PM

Whenever I run a Spybot search (or any other malware search) I usually pull something up and before IE stopped running I would randomly get a blank page or a completely different webpage than what I was linked to/typed in. This leads me to believe there is a backdoor (or a trojan?) that isn't being removed for whatever reason.

Other than that, nothing. The only program affected seems to be IE and I haven't noticed any decrease in performance.

P.S. Thanks for a snappy response.

Edited by Adrick, 17 February 2009 - 11:34 PM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 18 February 2009 - 02:26 AM

Let's try a couple of things before we explore(no pun intended) other possibilities.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#5 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 18 February 2009 - 11:58 PM

So, first things first-- Here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1778
Windows 5.1.2600 Service Pack 3

2009-02-18 23:53:12
mbam-log-2009-02-18 (23-53-12).txt

Scan type: Quick Scan
Objects scanned: 75647
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.

************************************************************
END OF LOG * END OF LOG * END OF LOG * END OF LOG * END OF LOG
************************************************************



Something happened when I restarted the computer though, I got the same error as with iexplore.exe, however, instead of that executable it has "C:/Startup." Not the focus of this thread but I thought I would mention it in case it becomes pertinent.

Attempting to launch iexplore.exe (or any shortcuts) brings up the error message.

FYI, I scoffed uncontrollably at your un-pun...

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 19 February 2009 - 05:19 AM

Please download Dr.Web CureIt to the Desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

Double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Move incurable
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)
Chewy

No. Try not. Do... or do not. There is no try.

#7 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 20 February 2009 - 03:58 PM

psexesvc.exe;c:\windows;Program.PsExec.170;Incurable.Renamed.;
psexec.cfexe;C:\ComboFix;Program.PsExec.171;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Probably BACKDOOR.Trojan;Incurable.Moved.;
ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Archive contains infected objects;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.3.30.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;Incurable.Moved.;
aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0188698.reg;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1094;Probably SCRIPT.Virus;Incurable.Moved.;
A0188735.reg;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1094;Trojan.StartPage.1505;Deleted.;
A0199193.exe\data105;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109\A0199193.exe;Trojan.Fakealert.3962;;
A0199193.exe\data106;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109\A0199193.exe;Trojan.Fakealert.3962;;
A0199193.exe\data108;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109\A0199193.exe;Trojan.Fakealert.3962;;
A0199193.exe\data110;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109\A0199193.exe;Trojan.Fakealert.3962;;
A0199193.exe;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109;Archive contains infected objects;Moved.;
A0199329.dll;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109;Trojan.Fakealert.3962;Deleted.;
A0199330.exe;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109;Trojan.Fakealert.3962;Deleted.;
A0199332.exe;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109;Trojan.Fakealert.3962;Deleted.;
A0199333.exe;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1109;Trojan.Fakealert.3962;Deleted.;
A0227893.EXE;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1168;Program.PsExec.170;Incurable.Moved.;
A0227894.exe\data529;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1168\A0227894.exe;Probably BACKDOOR.Trojan;;
A0227894.exe;C:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1168;Archive contains infected objects;Moved.;
psexesvc.#xe;C:\WINDOWS;Program.PsExec.170;Incurable.Moved.;
A0227903.exe;F:\System Volume Information\_restore{2E806ACE-312C-485A-B8C4-51150AD3644F}\RP1169;Trojan.MulDrop.26171;Deleted.;

************************************************************
END OF LOG * END OF LOG * END OF LOG * END OF LOG * END OF LOG
************************************************************



Error Remains. Thanks for your help Chewie!

P.S. That was a LOOOONNNGG scan! lol

Edited by Adrick, 20 February 2009 - 04:00 PM.


#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 20 February 2009 - 04:16 PM

Let's update MBAM and do another quick scan
Chewy

No. Try not. Do... or do not. There is no try.

#9 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 22 February 2009 - 12:49 AM

I haven't restarted the computer yet. The scan JUST finished (I also haven't tried opening iexplore.exe, again yet) and I figured that while I still have the thread open I should post the log:


Malwarebytes' Anti-Malware 1.34
Database version: 1792
Windows 5.1.2600 Service Pack 3

2009-02-22 00:48:35
mbam-log-2009-02-22 (00-48-35).txt

Scan type: Quick Scan
Objects scanned: 76380
Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


************************************************************

END OF LOG * END OF LOG * END OF LOG * END OF LOG * END OF LOG
************************************************************


Just did a restart (probably needlessly but, I like to have a clean slate after doing any type of deep tissues massages) and the error remains. Did a quick sweep with spybot again and it ALSO tells me that i'm squeaky clean. Curious.

PERPENDICULAR TANGENT: I have the most erratic post schedule I've ever seen...

Edited by Adrick, 22 February 2009 - 12:59 AM.


#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 22 February 2009 - 01:06 AM

This is a scan mode only

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


and also

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.
Chewy

No. Try not. Do... or do not. There is no try.

#11 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 22 February 2009 - 02:25 AM

Smitfraud:

SmitFraudFix v2.398

Scan done at 2:22:54.31, 2009-02-22
Run from C:\Documents and Settings\Optimus Prime\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Optimus Prime


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OPTIMU~1\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Optimus Prime\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\OPTIMU~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.10
DNS Server Search Order: 65.24.7.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AEA29E52-EE33-4AA6-82C8-43200200CBD4}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3D53ABC2-C946-44D8-B87C-9DBC427A1A44}: DhcpNameServer=168.95.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3FD7B38C-2E85-43C9-9899-A7AB0F7DEA26}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AEA29E52-EE33-4AA6-82C8-43200200CBD4}: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AEA29E52-EE33-4AA6-82C8-43200200CBD4}: DhcpNameServer=74.128.18.100 74.128.18.101
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.10 65.24.7.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=74.128.18.100 74.128.18.101


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#12 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 22 February 2009 - 02:27 AM

Goored:

GooredFix v1.91 by jpshortstuff
Log created at 02:26 on 22/02/2009 running Option #1 (Optimus Prime)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\"


************************************************************
END OF LOG * END OF LOG * END OF LOG * END OF LOG * END OF LOG
************************************************************


Good ol' Optimus Prime...
P.S. Get some sleep Chew!

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 22 February 2009 - 08:02 AM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
Chewy

No. Try not. Do... or do not. There is no try.

#14 Adrick

Adrick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 23 February 2009 - 01:26 PM

SDFix: Version 1.240
Run by Optimus Prime on 2009-02-22 at 22:12

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Optimus Prime\Desktop\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 23:22:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7c,2a,f0,52,bc,dd,8f,1a,ef,4c,a2,56,a3,24,6d,ac,be,46,82,c2,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:400ecaea
"s2"=dword:52f30247
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7c,2a,f0,52,bc,dd,8f,1a,ef,4c,a2,56,a3,24,6d,ac,be,46,82,c2,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7c,2a,f0,52,bc,dd,8f,1a,ef,4c,a2,56,a3,24,6d,ac,be,46,82,c2,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7c,2a,f0,52,bc,dd,8f,1a,ef,4c,a2,56,a3,24,6d,ac,be,46,82,c2,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:7c,2a,f0,52,bc,dd,8f,1a,ef,4c,a2,56,a3,24,6d,ac,be,46,82,c2,43,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"NoPopUpsOnBoot"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe"="C:\\Program Files\\Flagship Studios\\Mythos\\bin\\Mythos.exe:*:Enabled:Mythos"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe"="C:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe:*:Enabled:PandoRest Application Name"
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"="C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe:*:Enabled:Veoh Web Player "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\is-J1THV.tmp"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 11 May 2001 397,856 A..HR --- "C:\WINDOWS\system32\XceedZip.dll"
Sat 16 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 2 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 16 Feb 2009 87,040 A.SH. --- "C:\Documents and Settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll"
Thu 9 Oct 2008 3,716 A..HR --- "C:\Documents and Settings\Optimus Prime\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sat 16 Sep 2006 4,348 A..H. --- "C:\Documents and Settings\Optimus Prime\My Documents\My Music\License Backup\drmv1key.bak"
Sat 16 Sep 2006 20 A..H. --- "C:\Documents and Settings\Optimus Prime\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 16 Sep 2006 400 A..H. --- "C:\Documents and Settings\Optimus Prime\My Documents\My Music\License Backup\drmv2key.bak"
Sat 16 Sep 2006 1,536 A..H. --- "C:\Documents and Settings\Optimus Prime\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!


************************************************************
END OF LOG * END OF LOG * END OF LOG * END OF LOG * END OF LOG
************************************************************


WHAT THE SHNOZZBERRIES!

It's working now! Any ideas what caused that?

Thank You DaChew! You're like the offspring of Rambo and Jesus!

Edited by Adrick, 23 February 2009 - 01:31 PM.


#15 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:44 AM

Posted 23 February 2009 - 05:21 PM

WHAT THE SHNOZZBERRIES!

It's working now! Any ideas what caused that?


Restoring Default Security Values
Restoring Default Hosts File


???
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users